Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    87s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    10-09-2021 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe

  • Size

    4.0MB

  • MD5

    9cadcadb612787dc6c2e9901ffe49dec

  • SHA1

    dfaeffadd7767ea23cabc31a59ae2cd461abf00f

  • SHA256

    6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb

  • SHA512

    e7d908a73e85965359169b9d3e14ec3f1f81218354aa09a8d6c027be230e30c4f334122b933579ce6ad35e5eaffc01c6d8124e5f1a11671b7f6b36549d55beff

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe
    "C:\Users\Admin\AppData\Local\Temp\6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlmeisxk\rlmeisxk.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7F7.tmp" "c:\Users\Admin\AppData\Local\Temp\rlmeisxk\CSC4A66E73C306D4AD9B2C12ABD8513448.TMP"
          4⤵
            PID:5012
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1836
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3336
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:4440
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:3056
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:4220
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4596
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2824
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2628
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4136
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3636
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:648
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1016
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4636
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4376
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3932
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:5032
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:5036

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1836-412-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1836-198-0x0000000008CE0000-0x0000000008D13000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/1836-186-0x0000000004D40000-0x0000000004D41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1836-187-0x0000000004D42000-0x0000000004D43000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1836-206-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1836-207-0x000000007EBD0000-0x000000007EBD1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1836-212-0x0000000008E10000-0x0000000008E11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1836-213-0x0000000008FE0000-0x0000000008FE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1836-406-0x0000000008EF0000-0x0000000008EF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2652-697-0x0000000004F72000-0x0000000004F73000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2652-792-0x000000007FA90000-0x000000007FA91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2652-696-0x0000000004F70000-0x0000000004F71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3336-467-0x000000007EAF0000-0x000000007EAF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3336-442-0x00000000071E2000-0x00000000071E3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3336-441-0x00000000071E0000-0x00000000071E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-120-0x0000000005862000-0x0000000005863000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-115-0x0000000005C80000-0x000000000607F000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/4684-123-0x0000000008650000-0x0000000008651000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-122-0x00000000061A0000-0x00000000061A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-121-0x0000000005863000-0x0000000005864000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-117-0x0000000006580000-0x0000000006581000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-118-0x0000000006220000-0x0000000006221000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-119-0x0000000005860000-0x0000000005861000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4684-124-0x0000000005864000-0x0000000005865000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-134-0x00000000080F0000-0x00000000080F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-138-0x0000000008A10000-0x0000000008A11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-153-0x0000000009790000-0x0000000009791000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-131-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-136-0x00000000051D0000-0x00000000051D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-137-0x00000000051D2000-0x00000000051D3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-145-0x0000000009700000-0x0000000009701000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-128-0x0000000005220000-0x0000000005221000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-1126-0x000000007EF40000-0x000000007EF41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-155-0x00000000051D3000-0x00000000051D4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-135-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-144-0x0000000009E30000-0x0000000009E31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-176-0x0000000009B00000-0x0000000009B01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-133-0x00000000082C0000-0x00000000082C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-129-0x0000000007920000-0x0000000007921000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4796-130-0x0000000007F50000-0x0000000007F51000-memory.dmp

                    Filesize

                    4KB

                    Download